APT

APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)

  • Mar 29 2022
APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)

At the beginning of March this year, a wildfire broke out in the Samcheok and Wuljin area, and numerous people from all over Korea donated to help the victims and restore the damages. Amidst such a situation, the ASEC analysis team discovered the attacker’s attempt at launching APT attacks disguised as donation receipts for the Uljin wildfire.

The file was created on March 28th, and its author’s name is the same as the author (Acer) that was introduced in the previous ASEC blog.

Although the attack method and the file’s features are the same as described in the previous blog, this attack creates a batch file with a different name when the macro is run. The batch file was distributed as moster.bat, and its features are identical to those of “error.bat” in the previous blog.

  • C:\Users\Public\Documents\moster.bat -> Register start.vbs file to RUN key, run no4.bat file, and download additional files
  • hxxp://nomonth-man.com/dfg04/%COMPUTERNAME%.txt (Additional file download URL)

It appears that the attacker is currently attempting to expand their scope of attack beyond North Korea professionals and virtual asset professionals. Users must be cautious when downloading attachments from emails or websites of unknown sources. When running Word files, extra caution is needed if there are messages or images that prompt the users to click Enable macro as clicking it may run a malicious macro.

AhnLab’s anti-malware software, V3, detects and blocks files related to the attack using the aliases below.

 

[Detection Name (Engine ver.)]
– no1.bat : Trojan/BAT.Runner (2022.03.30.00)
– download.vbs : Downloader/VBS.Generic (2022.03.30.00)
– temp.doc : Trojan/DOC.Agent (2022.03.30.01)
– moster.bat : Trojan/VBS.Akdoor (2022.03.30.00)
– no4.bat : Trojan/VBS.Akdoor (2022.03.30.00)
– start.vbs : Trojan/VBS.Runner (2022.03.30.00)
– upload.vbs : Trojan/VBS.Akdoor (2022.03.30.00)

 

MD5

050e663bf6c97a953e25eb7e9754d656
07232fe7144b0286eb5c9882834eea96
0b41f93365ec443406df942914317ec7
85165e07b9f198a5e4047756eb779b46
a0fddb12d7b3c445fdb7ab602a5bf5fb
URL

http[:]//nomonth-man[.]com/uio04/upload[.]php

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.

Tags:
Previous Post

Next Post